Share this post

Link to post

Share on other sites

+goretsky 837

Aside from the above-mentioned issues, some ISPs monetize your DNS queries, selling it to advertisers who then use it for advertising targeting. For example, instead of returning an NXDOMAIN they send you to a paid search portal. This is one way to make that more difficult.

Share on other sites

jnelsoninjax 9,811

Aside from the above-mentioned issues, some ISPs monetize your DNS queries, selling it to advertisers who then use it for advertising targeting. For example, instead of returning an NXDOMAIN they send you to a paid search portal. This is one way to make that more difficult.

Regards,

Aryeh Goretsky

OK, I think I understand somewhat better, but I'm not worried enough to go to the trouble of encrypting DNS traffic now.

1

Share this post

Link to post

Share on other sites

Brandon H 1,643

Brandon H 1,643

Aside from the above-mentioned issues, some ISPs monetize your DNS queries, selling it to advertisers who then use it for advertising targeting. For example, instead of returning an NXDOMAIN they send you to a paid search portal. This is one way to make that more difficult.

Regards,

Aryeh Goretsky

couldn't you also get around this by switching DNS addresses to either GoogleDNS, OpenDNS, or another?

If so that'd be a much easier solution to that particular thing

2

Share this post

Link to post

Share on other sites

+goretsky 837

+goretsky 837

The ISP could redirect the IP addresses of competitive DNS servers to its own servers Or monitor request from those servers... unless, of course, they couldn't see the DNS requests because they were encrypted. After all, revenue is at stake here, and they modified their terms of service to require use of their DNS servers, there probably would not be too many customers willing to jump ship.

Regards,

Aryeh Goretsky

4 hours ago, Brandon H said:

couldn't you also get around this by switching DNS addresses to either GoogleDNS, OpenDNS, or another?

Link to post

Share on other sites

+BudMan 3,084

While there are reasons you might want to do this.. If your going to the lengths of encrypting your dns traffic from your ISP why would you not just encrypt all traffic via a vpn?

If your worried about validation of records that your getting - this is where dnssec comes into play. But its only good for domains that use it. You can never be sure the data your getting back from a dns query is legit or what the authoritative server wants to hand out without dnssec. Just because you encrypt data to some dns server, just means your pretty sure your talking to him and getting answers from him. Doesn't mean its answer are not wrong, or have been messed with..

If your tinfoil hat has you worried about your dns being monitored or messed with by your isp, why would you not just go full blown vpn for all your traffic?

Share this post

Link to post

Share on other sites

Joe User 398

While there are reasons you might want to do this.. If your going to the lengths of encrypting your dns traffic from your ISP why would you not just encrypt all traffic via a vpn?

If your worried about validation of records that your getting - this is where dnssec comes into play. But its only good for domains that use it. You can never be sure the data your getting back from a dns query is legit or what the authoritative server wants to hand out without dnssec. Just because you encrypt data to some dns server, just means your pretty sure your talking to him and getting answers from him. Doesn't mean its answer are not wrong, or have been messed with..

If your tinfoil hat has you worried about your dns being monitored or messed with by your isp, why would you not just go full blown vpn for all your traffic?

Why VPN already encrypted traffic though? Most websites use HTTPS now. Streaming services are all encrypted, email and games as well. So, at that point the only thing not regularly encrypted is DNS.

Might as well plug the last big security hole, especially since DNS is the Achilles' heel of the Internet.

Personally, I run my own resolvers, mostly because I have a lot of devices and my ISP's DNS servers are not great.

0

Share this post

Link to post

Share on other sites

+BudMan 3,084

+BudMan 3,084

While I agree much traffic is https anyway, if your tinfoil hat says oh F them they can not see my dns traffic.. Why let them see where your going via where your https traffic goes - might well just hide it all. And now you can resolve vs using a forwarder and its still hidden from your big bad isp wanting to spy on you

Share this post

Link to post

Share on other sites

Tantawi 116

Some real world reasons:
- ISP greediness/intervention
- Government monitoring/blocking/censorship

- Government or ISPs blocking a VPN service entry point

I find it funny that every time a talk about VPNs or (tinfoil'y) stuff comes up, it is always put into the context of the "sane" countries... there is a lot of crazy places out there in the world, read/watch world news, or you can take a trip to such crazy countries yourself (which I will not recommend ) and lets see how many tinfoil hats you will put!

Link to post

Share on other sites

+BudMan 3,084

Says your in Sweden.. Prob the least crazy country on the whole planet

Comes down to this - if your traffic flows over a hostile network, then yes its good to encrypt it - be it all traffic via vpn or just your dns.. Be it that hostile network is some strange wifi network your on at some airport or pub or starbucks, or even your buddies house, etc. If you feel your isp is a hostile network then sure you would want to encrypt your traffic across that network.

Then again most people are not doing anything that would make it matter. I am not in a country that I am worried about Gov spying on me - I don't give two ###### if they know I am going to neowin 50 times a day, etc. Or shopping on amazon.. Or reading BBC news, even if they were.

Lets be clear though - per the rules this site is not about discussing circumvention. So while you might be in a country that blocks XYZ, no matter how the rest of the world feels about it - its circumvention and this place would not be the place to talk about how to get around such polices. If the site changes the wording on their policies - than be happy to discuss all the different ways to get around such blocks... My tinfoil hat is normally cocked to the side of my head really loose and about ready to just fall off. But if needed I can put it on so tight it cuts of blood to my brain

Keep in mind if gov agency wants to spy on you - they sure not going to need isp to help them.. And more than likely something on your devices directly, so doesn't matter how many vpn's you use or how encrypted you make your dns queries... For all you know what they need to log everything you do is hardcoded in the chips that make up your device or the actual OS its running (windows telemetry wink wink).. If you want to put your tinfoil hat on that tight

Link to post

Share on other sites

Tantawi 116

Says your in Sweden.. Prob the least crazy country on the whole planet

Yes I am, but I am an Egyptian (the other extreme side on the crazy country meter)

The thing is not really about spying, spying is fine, but it is what comes after spying from the crazy country... like some jail time if you are lucky, or your flying head rolling on the floor if you are not so lucky.

I agree with most of what you said though.

0

Share this post

Link to post

Share on other sites

Joe User 398

Joe User 398

While I agree much traffic is https anyway, if your tinfoil hat says oh F them they can not see my dns traffic.. Why let them see where your going via where your https traffic goes - might well just hide it all. And now you can resolve vs using a forwarder and its still hidden from your big bad isp wanting to spy on you

It's more of an adblocking thing for me, personally. I pay enough for access, if they want to mine my DNS queries or advertise on NXDOMAIN they can charge me less.

Also, the occasional redirect or popup message injected into my browser is really creepy. I get those about once a month.